English Forums > Intrusion Detection and Prevention
E-mail when alert or drop
kelskein:
I am using Surricata as IDS/IPS on several OPNSense firewalls, which is running great. Now I am cheking once a month the firewalls for alerts/drops. Is it possible to configure OPNsense to email when an Surricata alert occured?
I have been reading to setup monit, but this seems only for Firewall system alerts.
mimugmail:
You should be able to select suricata logs as well I think ..
FullyBorked:
Should be able to select the log file and use a reg expression to pull the dropped log. Might be a bit over my head. I'm wanting to do this as well of i figure ot out I'll try and remember to post it here.
Sent from my GM1917 using Tapatalk
FullyBorked:
I've made some progress here but I'm still a bit over my head.
The logs are located in /var/log/suricata/eve.json
I can parse the logs and provide output using tail and piping to awk and parsing with
--- Code: ---tail eve.json | awk -F"," '$10 ~ blocked {print $1,$5,$6,$7,$8,$9,$10,$14}'
--- End code ---
I'm struggling to understand how to get monit to look at only new logs. Do I have to make a script? I'm in over my head there for sure. The tail of the file does a good job of providing output for an alert, but I don't know how it can be used for monitoring.
Articles of note.
* How to setup monit - https://forum.opnsense.org/index.php?topic=5303.0
* Monit Documentation - https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST
* Suricata documentation on how to parse log files - https://buildmedia.readthedocs.org/media/pdf/suricata/suricata-4.0.1/suricata.pdf
FullyBorked:
ok, I waaaaay overthought this. Mainly due to my noobness with monit and opnsense. Here's how to make this work.
Create a Service Test
Name: IPS Block
Condition: content= "blocked"
Action: Alert
Then create Service Settings
Name: Suricata_alert
Type: File
Path: /var/log/suricata/eve.json
Tests: Select "IPS Blocked"
Save, apply, and restart suricata then test and you should get an alert via monit. Hope this helps.
Navigation
[0] Message Index
[#] Next page
Go to full version